b'           Smithsonian Institution\n           Office of the Inspector General\n\n\n           In Brief                                Employee and Contractor Screening Measures\n                                                   Report Number A-05-07, August 21, 2006\n\n\n\nWhy We Did This Audit                 What We Found\n\nThis is the second of three reports   According to Office of Protection Services (OPS) records, background\ncovering security issues at the       investigations were not conducted for half of the Smithsonian\xe2\x80\x99s employees hired\nSmithsonian. We initiated this        between October 1, 2003 and April 30, 2005. In addition, the Smithsonian could\naudit because recent OIG criminal     not provide records to demonstrate that background investigations had been\ninvestigations identified             conducted for contract employees.\nemployees with backgrounds\nunsuitable for their positions,           \xe2\x80\xa2   According to OPS records, only 967 (or 51 percent) of the 1,903\nraising concerns about the                    employees requiring background investigations who were hired during\neffectiveness of the Institution\xe2\x80\x99s            this period received one. Almost half of the Smithsonian\xe2\x80\x99s senior-level\nscreening of potential employees              employees did not have background investigations. In addition, 436 (or\nand contractors.                              81 percent) of the 535 contractors hired between June and December\n                                              2005 had no record of a background investigation, even though OPS\nWhat We Recommended                           began screening contract employees in June 2005.\n\nWe made 18 recommendations to             \xe2\x80\xa2   The Smithsonian had not identified employee or contractor positions\nstrengthen management of the                  requiring pre-appointment background investigations, although\nbackground screening program,                 Smithsonian policy recommends that pre-appointment background\nincluding pre-screening                       investigations be considered for individuals in sensitive curatorial,\nprospective employees for all                 information technology and financial positions.\ndesignated positions; improving\ndocumentation procedures;                 \xe2\x80\xa2   Volunteers, researchers, and interns who often have the same access to\nperforming background                         collection items and other assets as the Institution\xe2\x80\x99s employees and\ninvestigations for non-                       contractors were not required to be screened.\nSmithsonian employee positions,\nsuch as volunteers and visiting           \xe2\x80\xa2   When background investigations raised significant suitability issues, such\nresearchers; and establishing                 issues generally were not properly adjudicated. Of the employees we\ncloser supervision over the                   sampled whose Office of Personnel Management background\nadjudication of suitability                   investigations disclosed questionable backgrounds, 20 percent had\ndeterminations.                               significant suitability issues such as convictions or arrests for theft, drug\n                                              use and distribution, or assault and battery. OPS did not maintain any\nManagement generally concurred                records to indicate that these suitability issues were properly adjudicated.\nwith our findings and\nrecommendations and proposed a\ndetailed implementation plan that     To implement Homeland Security Presidential Directive 12, which imposes new\nresponds to our                       identity-proofing standards government-wide, the Smithsonian will have to\nrecommendations.                      significantly improve its identification of high-risk positions, processing and\n                                      tracking of investigations, adjudication of suitability issues, and record-keeping\n                                      practices.\n\n                                      For additional information or a copy of the full report, contact the Office of\n                                      the Inspector General at (202) 275-2244 or visit http://www.si.edu/oig.\n\x0c\x0cOPM conducts four types of background investigations for the Smithsonian: a National\nCriminal Investigation Check (NCIC), a National Agency Check and Inquiry (NACI), a\nSpecial Agreement Check (SAC), or a Full Field Investigation (FFI). Except for security\nofficers, these background investigations are not done until after employees have begun\nworking at the Institution. As summarized below, the category of background\ninvestigation to be conducted depends on the individual\xe2\x80\x99s position and type of\nemployment:\n\n   \xe2\x80\xa2   Security officers undergo an NCIC, which is the only one performed pre-\n       employment. The NCIC matches individuals against FBI arrest records. The\n       Institution also performs a NACI for security officers once they are hired.\n\n   \xe2\x80\xa2   Permanent employees below the senior level receive a NACI, which is the\n       minimum investigation required for all federal employees. This investigation\n       includes a check of FBI fingerprint and investigative files, OPM investigative files,\n       and military records, as well as written inquiries to law enforcement agencies,\n       former employers and supervisors, personal references and schools.\n\n   \xe2\x80\xa2   Friends of the National Zoo (FONZ), temporary, and contract employees undergo\n       a SAC, which is a review of FBI fingerprint files to determine criminal history.\n\n   \xe2\x80\xa2   Senior-level employees receive an FFI, a more rigorous investigation than the\n       NACI or SAC that examines the preceding 15 years of an individual\xe2\x80\x99s background.\n\nThe Smithsonian\xe2\x80\x99s Office of Protection Services (OPS) is responsible for administering\nthe Institution\xe2\x80\x99s background investigation process and maintaining investigative records\nwhile individuals are on the Smithsonian rolls. According to Smithsonian Directives (SD)\n212 and 213, OPS initiates background investigations by forwarding to OPM information\nquestionnaires completed by employees when they begin their employment. In June 2005,\nOPS expanded its fingerprint checks to all new employees and contractors, and now\ntransmits these fingerprints to OPM along with the information questionnaires. OPM\nthen conducts an investigation and issues a report, including an official certificate of\ninvestigation.\n\nUpon receipt of OPM\xe2\x80\x99s investigative report, OPS forwards the Certificate of Investigation\nto the Institution\xe2\x80\x99s Office of Human Resources (OHR) for retention in the employee\xe2\x80\x99s\nofficial personnel file. OPS is also required to forward to OHR any OPM findings\nquestioning the employee\xe2\x80\x99s suitability and any OPS recommendations. OHR then\nnotifies the unit-level hiring manager and assists in any necessary administrative actions.\nThe hiring manager, with assistance from OHR, is responsible for making the suitability\ndetermination and reporting its decision to OPS.\n\n\n\n\n                                             2\n\x0cRESULTS IN BRIEF\n\nAccording to OPS records, background investigations were not conducted for half of the\nInstitution\xe2\x80\x99s employees. Additionally, the Institution could not provide records to\ndemonstrate that background investigations had been conducted for contract employees.\n\n    \xe2\x80\xa2   According to OPS records, only 967 (or 51 percent) of the 1,903 employees\n        requiring background investigations who were hired between October 1, 2003 and\n        April 30, 2005 in fact underwent background investigations. While the employees\n        who were not screened were associated with various units across the Institution,\n        the majority of them were from FONZ, Smithsonian Business Ventures (SBV),\n                                                               1\n        and the Smithsonian Astrophysical Observatory (SAO).\n\n    \xe2\x80\xa2   According to OPS records, 103 (or 48 percent) of the Institution\xe2\x80\x99s 214 senior-level\n        employees did not have background investigations. Of the 111 who had them,\n        only 6 had the required FFI.\n\n    \xe2\x80\xa2   The Institution had not identified employee or contractor positions requiring pre-\n        appointment background investigations, although Institution policy recommends\n        that pre-appointment background investigations be considered for individuals in\n        sensitive curatorial, information technology and financial positions.\n\n    \xe2\x80\xa2   According to OPS records, 436 (or 81 percent) of the 535 contractors hired\n        between June and December 2005 had no record of a background investigation,\n        even though OPS began screening contract employees in June 2005.\n\n    \xe2\x80\xa2   Volunteers, researchers, and interns who often have the same access to collection\n        items and other assets as the Institution\xe2\x80\x99s employees and contractors were not\n        required to be screened.\n\nIn our opinion, proper screening would likely have prevented thefts of the Institution\xe2\x80\x99s\nassets. For example, an employee involved in a theft of checks from an Institution\nmailroom had prior arrests for fraudulent use of a credit card, possession of a stolen\nautomobile, and assault and battery. Another employee, who had a prior felony\nconviction for securing financial documents by deception and three misdemeanor\nconvictions for theft, embezzled funds from the Institution.\n\nIndividuals did not receive background investigations because OHR had not notified OPS\nof all new hires. In addition, OHR had not identified sensitive positions requiring either a\npre-employment investigation or a more rigorous background review and did not track\n\n1\n Based on discussions with OPM representatives and a cursory review of limited documentation provided\nby OPM, significantly more background investigations were performed for Smithsonian employees and\ncontractors than OPS records indicate. However, performing a detailed examination of OPM\xe2\x80\x99s records was\nbeyond the scope of our audit.\n\n\n                                                  3\n\x0cindividuals requiring an investigation to ensure all Official Personnel Folders contained a\nCertificate of Investigation. Further, OPS lacked an automated means of matching OHR\ndata on new hires with OPS records to ensure that all permanent and contract employees\nreceived the required screening. According to OPS staff, its tracking system lacked the\nfunctionality and capacity to accommodate all employee and contractor records.\nConsequently, OPS did not enter all individuals to be investigated in its tracking system,\nor keep complete records on the status of investigations.\n\nFurther, when background investigations raised significant suitability issues, such issues\ngenerally were not properly adjudicated. Of the 128 employees we sampled whose OPM\ninvestigations disclosed questionable backgrounds, 26 (20 percent) had significant\nsuitability issues such as convictions or arrests for theft, drug use and distribution, or\nassault and battery. OPS did not maintain any records to indicate that these suitability\nissues were properly adjudicated. According to OHR, except for one case, it was not\nmade aware of these suitability issues. In practice, OPS was making all of the suitability\ndeterminations, instead of referring issues to OHR and hiring officials for adjudication.\nOf those 26 employees, 13 are still working at the Institution and 13 were removed or\nresigned from their positions due to performance or conduct problems. At least 6 of the\n13 are serving in positions that pose a risk to the Institution, and the remaining 7 should\nbe re-evaluated to determine whether they pose a risk.\n\nBeginning in October 2006, the Institution will voluntarily implement Homeland Security\nPresidential Directive 12 (HSPD-12), which requires identity proofing, prompt initial\nbackground checks, and special identification cards for federal employees. Implementing\nthis directive will require that all permanent and contract employees receive a National\nAgency Check (a records check without interviews or reference checks) and a fingerprint\nanalysis before being issued identification badges. This background check will be\nfollowed by a more comprehensive NACI. Consequently, the Smithsonian will have to\nsignificantly improve its identification of high-risk positions, processing and tracking of\ninvestigations, adjudication of suitability issues, and recordkeeping practices.\n\nRESULTS OF AUDIT\n\nOPS Had No Record of Background Investigations for Half of the\nInstitution\xe2\x80\x99s Employees\n\nSmithsonian Directives (SD) 212 and 213 require that a background investigation be\ncompleted for all individuals newly appointed to the Institution to ensure their\nemployment will not pose a threat to the Institution or its visitors, staff, or collections.\nHowever, when we compared OHR\xe2\x80\x99s listing of new employees with OPS records we\nfound that only 967 (51 percent) of the 1,903 new hires from October 1, 2003 to April 30,\n2005 had records of background investigations.\n\n\n\n\n                                             4\n\x0cAs shown in the following chart, OPS had no records to indicate whether 936 employees\nhad been investigated, nor could they confirm whether background investigations had\nbeen conducted. While these individuals were associated with various units across the\nInstitution, the majority of them were from FONZ,2 SBV, and SAO.\n\n                                                CHART 1\n\n                     Background Investigations for Employees Hired\n                       Between October 1, 2003 and April 30, 2005\n\n\n\n                                                                       FONZ\n                                                                       (440)\n     Employees With\n       Background\n      Investigations\n          (967)                                                             SBV\n                                                                            (249)\n\n\n                                                                   Other\n                                                    SAO            (219)\n                                                    (28)\n\n                             Employees With Background Investigations\n\n                             Employees Without Background Investigations\n\n\nNeither OHR nor Payroll Records Were Used to Identify New Hires\n\nBackground investigations were not conducted for all employees because OPS was not\nnotified of all new hires either by OHR or by the separate human resources offices of\nFONZ, SAO, and SBV. At a minimum, Institution OHR units should notify OPS of new\nhires at the same time that individuals are added to the PeopleSoft Human Resources\nManagement System or to the Institution\xe2\x80\x99s payroll systems. For those positions requiring\na pre-appointment background check, the notification should coincide with a contingent\noffer to the prospective new hire.\n\nWe also found that OPS was not routinely matching its investigative requests against\npayroll or OHR records to ensure that it processed investigations for all new employees.\nFinally, OPS did not periodically report back to OHR, or to the OHR units of FONZ,\n\n2\n  FONZ employees are not employees of the Smithsonian Institution. However, they were included in the\nscope of the audit because FONZ has a Memorandum of Agreement with OPS to conduct background\ninvestigations of FONZ staff. In addition, for most Zoo visitors it is difficult to distinguish between Zoo\nemployees and FONZ employees and volunteers.\n\n\n                                                     5\n\x0cSAO, or SBV, to confirm that background investigations were in process. Consequently,\nif OPS did not request an investigation, the units had no way of knowing that\ninvestigations were not processed. For example, SAO human resources personnel told us\nthey were not aware that several of its employees had not received background checks\nbecause they expected OPS to notify them only if there were problems. According to\nFONZ personnel, they did not track the status of background investigations and only\nexpected to hear from OPS if there were problems.\n\nOPS Lacked Reliable and Adequately Designed System to Track Background Investigations\n\nWe found that OPS staff had not entered all employees that required background\ninvestigations into its tracking system, called NACIS. NACIS is a stand-alone database\nthat OPS has used since 1993 to track investigative requests referred to OPM. This\ndatabase records identifying information about individuals, the type of investigation\nrequested, and the dates that OPS submitted its requests to OPM, received investigative\nresults, and closed the investigations. The database is the only system of records\nmaintained by OPS to document employee and contractor screening that would indicate\nthe volume of background investigations processed. The database receives no IT systems\nadministration or user support.\n\nOPS staff told us they did not enter all employee records or complete information on\nindividuals because they believed that too many records would overload the tracking\nsystem, causing it to crash, as it did in 2000. The database tracking system uses antiquated\nsoftware which is no longer supported. Further, OPS staff stated that they received no\ntraining on data backup, record deletion, or report generation.\n\nNACIS was also unreliable as a tracking system because it contained inaccurate and\nincomplete data on key dates in the investigative process. We found that the date of the\nOPM investigation request for 938 of the 1,903 employees hired within our audit scope\npreceded the date employees submitted their background investigation questionnaire to\nOPS. We also noted approximately 160 records that had blank values in the \xe2\x80\x9creturned\xe2\x80\x9d\nand \xe2\x80\x9cclosed\xe2\x80\x9d date fields. OPS personnel admitted that these various data errors were due\nto inadequate data entry. We noted little or no supervisory review of data entry.\n\nOPS will need a new system to support the investigative function and requirements of\nHSPD-12. HSPD-12 requires identity proofing, prompt initial background checks, and\nspecial identification cards for federal employees. To comply with HSPD-12, the\nInstitution will have to verify and/or complete background investigations for all\nemployees. The Institution will also need a better designed and more reliable tracking\nsystem that is capable of matching investigative records against personnel records to\nensure that employees are properly screened. Moreover, given that employees and\nvolunteers with prior criminal records have been placed in positions of trust or given\naccess to the Institution\xe2\x80\x99s assets, greater efforts are also needed to identify high-risk\npositions and pre-screen all individuals serving in such positions.\n\n\n\n                                             6\n\x0cRecommendations\nTo ensure that all employees are identified and tracked for background screening in the\nshort term, we recommended that the Deputy Secretary and Chief Operating Officer:\n\n   1. Ensure that OPS obtains a bi-weekly listing of new employees from OHR, SAO,\n      SBV, and FONZ to ensure that background investigations are conducted for all\n      new hires.\n\n   2. Ensure that OPS works with the Office of the Chief Information Officer (OCIO)\n      to provide refresher training to OPS staff in data entry, report generation, and\n      other system capabilities.\n\nIn the long term, we recommended that the Deputy Secretary and Chief Operating\nOfficer:\n\n   3. Replace NACIS with a system that can better accommodate the growing volume of\n      background investigations as well as the additional recordkeeping requirements of\n      HSPD-12. The replacement system should also interface with the Institution\xe2\x80\x99s HR\n      systems so that new employee information can be readily exchanged and\n      reconciled to facilitate the processing of background investigations.\n\nWe also recommended that the Director of OPS:\n\n   4. Ensure that background investigations are or have been conducted for the 936\n      individuals who had no record of a background investigation.\n\n   5. Routinely reconcile new employee listings with background investigation\n      information tracked in NACIS and successor systems to ensure that it has a record\n      of all employee investigations and results.\n\n   6. Take steps to improve the accuracy of NACIS data.\n\nThe Type and Timing of Background Investigations Were Not Always\nDetermined by Position Risk\n\nA 1996 OPM study of personnel security and suitability issues at the Institution reported a\nneed to assign risk levels to positions to guide the type and timing of background\ninvestigations. OPM accordingly recommended that all Official Personnel Folders\ncontain a position description showing the proper risk designation level. In response to\nthis audit, the Institution indicated that OPS would work with OHR to ensure that proper\nposition risk levels were designated.\n\nAlthough the Institution agreed to implement the study\xe2\x80\x99s findings, we found it had not\nproperly designated risk levels for all positions or included such designations in\n\n\n                                            7\n\x0cemployees\xe2\x80\x99 Official Personnel Folders. Further, we noted that Smithsonian Directives 212\nand 213 require hiring managers to decide whether a pre-employment NACI background\ninvestigation is required for certain positions, including security officers, curators who\nwork with high value or portable collections, IT personnel, or individuals who handle\ncash. We found little evidence that the Institution had done so. To the contrary, OPS\nonly conducted pre-appointment investigations for security officers.\n\nSDs 212 and 213 also require OHR and OPS to decide whether an FFI is required for\nsenior-level employees and members of the professional research and curatorial staff who\nhave access to collections of high intrinsic value. Despite these directives, we found no\nrecord of background investigations for 103 (or 48 percent) of the Institution\xe2\x80\x99s\n214 senior-level employees.3 Of the remaining 111 senior-level employees for whom\nrecords existed, only 6 had the required FFI, even though 58 had been hired since the\npolicy was implemented in 1983. The remaining 56 employees were hired prior to 1983,\nbut nevertheless should have received an FFI after the policy became effective.\n\nHad all employees been properly screened, the Institution would likely have prevented the\nloss of some of its assets. For example, a recent OIG investigation determined that a\npermanent federal employee who was hired in the Office of the Comptroller without a\nbackground investigation had a prior felony conviction for securing financial documents\nby deception and three misdemeanor convictions for theft. This employee, who served in\na managerial position, was given access to the Institution\xe2\x80\x99s financial system and\nsubsequently stole approximately $58,000. This employee was convicted for the theft and\nimprisoned. In another example, the OIG investigated a theft of checks from an\nInstitution mailroom by an employee who did not undergo a background investigation.\nThe individual, who was subsequently terminated, had previously been arrested for a\nvariety of crimes, including assault and battery, and fraudulent use of a credit card.\n\nRecommendations\n\nBecause the Institution is not designating risk levels for certain sensitive positions such as\nindividuals with access to information systems, financial assets, and high-value\ncollections, we recommended that the Director of the Office of Human Resources:\n\n    7. Assess risk levels for each employee position and ensure all Official Personnel\n       Folders contain a position description showing the proper risk level.\n\n    8. Issue guidance for assessing the risk levels for contractors to guide the type and\n       timing of background investigations as well as the adjudication of investigative\n       results.\n\n\n\n3\n  According to OHR, the Institution currently defines senior-level employees as those employees for whom\nthe Smithsonian Institution Board of Regents make final compensation decisions.\n\n\n                                                    8\n\x0cWe also recommended that the Director of OPS:\n\n   9. Comply with Smithsonian Directives 212 and 213 by processing:\n\n        \xe2\x80\xa2   NACIs for those employees who are security officers, curators, IT personnel\n            or individuals who handle cash, but have not yet had a NACI, and\n\n        \xe2\x80\xa2   FFIs for senior-level employees and members of the professional research and\n            curatorial staff who have access to collections of high intrinsic value, but have\n            not yet had an FFI.\n\n   10. Ensure that all new employees hired into positions such as security officers,\n       curators, IT personnel, and individuals who handle cash, receive a pre-\n       employment investigation as required by Smithsonian Directives.\n\nInvestigations of Contract Employees Were Not Documented\n\nPrior to July 2005, background investigations on contractors were rarely performed. In\nJuly 2005, OPS implemented a policy requiring either a NACI or SAC investigation for all\ncontractors who carry Smithsonian identification badges. Contractors employed for\n6 months or less must have a SAC review of FBI records, which checks the criminal\nhistory of the individual. Contractors employed for more than 6 months are required to\nundergo a NACI investigation.\n\nWe found that although OPS began screening contractors in July 2005, it did not\ndocument those investigations or their results. Of the 535 contractors who were issued\nbadges from July 1, 2005 to December 31, 2005, 444 should have had a NACI background\ninvestigation, and 91 should have had a SAC investigation. However, for 436 of the 535\ncontractors (81 percent), OPS did not have a record of a background investigation. We\nnoted that six contractors worked in the cash management area of the Office of the\nComptroller and had access to the Institution\xe2\x80\x99s financial system and assets, but none had\nundergone background investigations. Another 38 contractors worked for OCIO and\nmay have had access to sensitive information systems.\n\nWhile it is possible that OPS processed SAC background checks for many of these\ncontractors, we could not find evidence they did so in OPS\xe2\x80\x99 tracking system because\ncontractor investigations are not documented in OPS\xe2\x80\x99 database. OPS officials told us they\nhad not entered records for all contractors into its tracking system because the system was\nat capacity and they feared it would crash if additional records were entered.\nOPS also did not maintain any manual records to demonstrate that investigations of\ncontractors were performed. Consequently, we could not determine whether all\ncontractors received background investigations or how suitability issues identified in\ninvestigations were adjudicated. Moreover, without documentation of investigations\nperformed, OPS cannot determine whether contractors who previously worked for the\nInstitution had already undergone a recent background investigation.\n\n\n                                              9\n\x0cRecommendation\n\nWe believe that our earlier recommendations, including that the NACIS system be\nreplaced with one that can better accommodate the requirements of HSPD-12, will\naddress the issues we identified. In the interim, however, we recommended that the\nDirector of OPS:\n\n   11. Establish a record-keeping system to document contractor investigations and their\n       results.\n\nVolunteers, Researchers, and Interns Were Not Required to Be Screened\n\nOver the course of any given year, the Institution benefits from the services of an\nestimated 6,500 volunteers and researchers, of whom approximately 25 percent have\naccess to the collections or financial assets of the Institution. Additionally, about\n1,000 interns serve at the Institution annually, some of whom work in high-risk areas.\nThe Institution does not screen volunteers, researchers, or interns even though many\nwork with employees whose positions have been designated as high-risk. For example,\nvolunteers in the Institution\xe2\x80\x99s \xe2\x80\x9cBehind-the-Scenes\xe2\x80\x9d Volunteer Program work in non-\npublic areas in the archives, libraries, conservation laboratories and curatorial divisions\nrelated to art, history, and science collections.\n\nBecause these individuals are not screened, volunteers with prior criminal records have\nworked among the collections at the Institution. For example, we learned of a volunteer\nwho had access to collections who had been convicted of a drug offense and was\nterminated from previous federal employment for certifying false statements. He\neventually received a background investigation when he later became a Trust, and then a\nFederal employee. However, he was terminated before his background investigation\ndisclosed his criminal history. Had the Smithsonian known about the individual\xe2\x80\x99s\ncriminal record when he was a volunteer, he might not have been hired as a permanent\nemployee.\n\nWe found that other museums, as a best practice, screen individuals seeking volunteer\nassignments. For example, the American Museum of Natural History in New York City\nrequires that every new volunteer submit to a background investigation as a condition of\nworking in the museum. While screening all volunteers and researchers at the Institution\nmay be impractical given the sheer volume of individuals who volunteer or conduct\nresearch at the Smithsonian, the Institution should require background investigations for\nat least those individuals with access to the collections or who participate in the Behind\nthe Scenes Volunteer Program, as well as those with access to information systems or\nfinancial assets.\n\n\n\n\n                                             10\n\x0cRecommendation\nWe recommended that the Director of OPS:\n\n   12. Establish a policy requiring that volunteers, researchers, and interns who have\n       access to collections, participate in the Behind the Scenes Volunteer Program, or\n       work with the Institution\xe2\x80\x99s information systems or financial assets be subject to\n       appropriate background investigations.\n\nSuitability Issues Were Not Properly Adjudicated or Recorded\n\nSmithsonian Directives 212 and 213 require that OPS determine whether material\nobtained during the OPM background investigation is important to the suitability\ndetermination. If significant, OPS must complete an additional review, report to OHR\nthe substance of its findings, and make recommendations concerning the hiring or\nretention of the individual. If OPS does not consider investigative information\nsignificant, OPS is required to return the information to OPM or to destroy it.\n\nWhen OHR receives OPS\xe2\x80\x99 suitability issues report, it is required to forward this\ninformation to the hiring official and assist with any administrative actions. The hiring\nofficial must report the results of his or her suitability determination to OPS. OPS\nsafeguards the investigative information while the employee is at the Institution.\n\nFor FONZ employees, OPS\xe2\x80\x94rather than OHR\xe2\x80\x94is responsible for making the ultimate\nsuitability determination. According to an August 21, 2001, memorandum of\nunderstanding between FONZ and the Institution, FONZ must accept OPS\xe2\x80\x99 suitability\ndetermination and is not entitled to know the specific reason for the decision. OPS must\nmaintain all FONZ employee files containing derogatory information for 10 years or for\n2 years after termination or denial of employment. According to the agreement, if the\nemployee is deemed suitable, OPS will destroy the files.\n\nDespite these requirements, our audit revealed that OPS had not forwarded suitability\nissues to OHR for adjudication, nor had it retained adjudication records for Smithsonian\nor FONZ employees. We sampled 128 of the 1,145 cases OPM completed from October\n1, 2002 to April 30, 2005 that were assigned a \xe2\x80\x9cseriousness\xe2\x80\x9d code by OPM. Of those\nsampled, we identified 26 (20 percent) that had serious suitability issues, such as charges\nof assault and battery, firearms possession, drug distribution and use, grand larceny, petty\nlarceny, receipt of stolen property, and falsification of employment applications. These\nissues were not adjudicated even though such charges made these individuals unsuitable\nfor work as a security officer or for working among the collections. Only one of the 26\nwas appropriately referred to OHR and terminated.\n\nRather than forwarding these cases to OHR for adjudication, OPS staff made the\nsuitability determinations themselves because they believed the issues were not significant\nenough to involve OHR or the hiring managers. OPS staff told us that Smithsonian\n\n\n                                             11\n\x0cDirectives were not clear on what constitutes a \xe2\x80\x9csignificant\xe2\x80\x9d investigative issue or how\nsignificant issues should be evaluated in making suitability determinations, thus leaving\nOPS significant discretion in evaluating background results. Additionally, there had been\nconsiderable turnover in supervisors of this process and suitability determinations\ngenerally had not been subjected to supervisory review.\n\nThe lack of appropriate suitability determinations resulted in OHR and hiring managers\nexpending significant resources disciplining, terminating and replacing employees. Of the\n26 significant cases we identified, we found that 8 individuals had left the Institution for\npoor performance or conduct, and five had resigned for various reasons. As of May 31,\n2006, 13 of these 26 individuals were still employed at the Institution.\n\nIn addition to our sample, recent OIG investigations identified two convicted felons who\nheld positions that were inappropriate given their criminal history. Had the nature of\ntheir offenses been known by management, these individuals would not have been placed\nin positions requiring close contact with the public.\n\nWe also found that OPS staff was not maintaining copies of OPM\xe2\x80\x99s investigative reports\nor documenting how they reached suitability determinations for cases with serious issues.\nFurther, OPS told us that the lack of security over the NACIS system, such as passwords\nor other access controls, made them reluctant to enter sensitive data such as comments\nabout suitability determinations. Finally, OPS told us that they lacked storage space to\nretain investigative records and would obtain copies from OPM when needed.\nAdditionally, regardless of the results of the background investigations, OPM policy\nrequires agencies to document that employees have undergone background investigations\nby filing Certificates of Investigation in the employees\xe2\x80\x99 Official Personnel Folders.\nHowever, we found OPS had not forwarded these certificates to the SAO, SBV, and FONZ\nhuman resources offices for inclusion in employee files.\n\nWithout the underlying records, it is difficult for the Institution to determine exactly how\nsuitability issues were adjudicated and whether the Institution and its assets are at risk\nbased on the sensitivity of the position assumed by such individuals. The lack of\ninvestigative records also could hamper OPS and OIG in investigating individuals who\nengage in wrongdoing after they are hired by the Smithsonian.\n\nRecommendations\nTo ensure that suitability issues are forwarded to OHR, we recommended that the\nDirector of OPS work with the Director of OHR to:\n\n   13. Revise SD 212 and 213 to define \xe2\x80\x9csignificant\xe2\x80\x9d investigative material and how it\n       should be used to determine suitability.\n\n   14. Require supervisory review and approval of suitability findings and\n       recommendations and ensure that OPS staff forwards recommendations to OHR.\n\n\n                                             12\n\x0c   15. Revisit OPS\xe2\x80\x99 original suitability determinations for the remaining 13 of the 26\n       employees identified in this audit to determine whether they are in appropriate\n       positions given any risks they may pose.\n\nTo ensure that the Institution adequately records and documents investigative records,\nsuitability recommendations, and adjudicative actions taken, we recommended that the\nDirector of OPS:\n\n   16. Determine what investigative information OPS should retain for all background\n       investigations, especially where there are significant suitability issues, to meet the\n       recordkeeping requirements of HSPD-12.\n\n   17. Ensure that all employee and contractor investigations, results, and actions taken\n       are entered into the NACIS and its future replacement system.\n\n   18. Ensure that Certificates of Investigation are sent to the appropriate OHR office for\n       inclusion in employees\xe2\x80\x99 Official Personnel Folders or contracting officials for all\n       contractors.\n\n\nMANAGEMENT RESPONSE\n\nThe Directors of OPS and OHR provided formal written comments to our July 14, 2006,\ndraft report on August 11, 2006. The Directors generally concurred with our findings and\nrecommendations and identified actions planned for each recommendation, as well as\ntarget dates for their completion. A brief summary of management\xe2\x80\x99s response grouped by\nfinding area follows.\n\nOPS had no record of background investigations for half of the Institution\xe2\x80\x99s employees.\nWe made six recommendations (1 through 6) to strengthen management of the\nbackground screening program and ensure all employees and other individuals affiliated\nwith the Institution are properly identified, screened and tracked. In response to our\nrecommendations, OPS and OHR have improved communications between their\ndepartments, and OPS will get bi-weekly listings of new employees from all OHR-serviced\nstaff, including SAO, as well as bi-weekly listings from SBV and FONZ.\n\nTo address the data-entry and report-generation issues, the OPS Director has ordered\nmandatory refresher training on NACIS for all personnel security staff. In the short term,\nOPS is also examining the option of shifting this database into a Microsoft-based or other\ndatabase software. Nonetheless, OPS recognizes that this would serve only as a temporary\nsolution because it will not satisfy HSPD-12 requirements. OPS has been working with\nOCIO and a contractor to explore options for a more sophisticated tracking system that\nwould meet HSPD-12 requirements. Based on our recommendation, the system design\nwill include a linkage between the new system and the current OHR personnel system.\n\n\n                                             13\n\x0cOPS estimates the new system will be available by FY 2008 at the latest, earlier if adequate\nfunding is made available.\n\nThe OPS Director also has designated an internal analyst to perform a complete audit of\nall personnel security information, data entry and documentation. The analyst will\nreconcile existing records, perform a weekly audit of all new personnel security\ntransactions and, from this point forward, continue to update the database through the\ncomplete life cycle of all Smithsonian background investigations. In addition, OPS will\nwork closely with OPM to identify any employees or contractors that have not had an\ninvestigation and ensure that appropriate investigations are completed. This will be\naccomplished by December 2006.\n\nType and timing of background investigations were not always determined by position\nrisk. We issued four recommendations (7 through 10) associated with this finding. OPS\nand OHR agreed to work cooperatively to develop sensitivity levels and the associated\ntypes of background investigations for all employee, contractor, and other positions at the\nInstitution. Once this framework has been established, OPS will work closely with OPM\nto ensure appropriate investigations are completed for all individuals, including senior\nlevel staff. Additionally, OPS and OHR will begin prescreening prospective employees for\nall designated positions and explore the procurement of investigative services other than\nOPM to ensure thorough and timely completion of pre-employment investigations to\navoid delays in the hiring process. All corrective actions for this finding are estimated to\nbe completed by January 2007.\n\nInvestigations of contract employees were not documented. Regarding recommendation\n11, OPS agreed to begin recording contractor investigations and their results in the\nNACIS database by September 1, 2006, and will continue to use NACIS until a new\ntracking system is developed.\n\nVolunteers, researchers, and interns were not required to be screened. In response to\nrecommendation 12, OPS agreed to establish appropriate sensitivity levels for non-\nemployee positions and to ensure proper background checks are performed for those in\nsuch positions as a condition of receiving Smithsonian identification badges. Because of\nthe substantial investment of time and resources involved, including at least 10,000\ninvestigations, OPS set a target date of September 30, 2007.\n\nSuitability issues were not properly adjudicated or recorded. We made six\nrecommendations (13 through 18) to strengthen the adjudication and documentation of\nsuitability determinations. Management agreed to implement a series of corrective\nactions between July 2006 and August 2007 to address the recommendations. The OPS\nand OHR Directors will work together to update the applicable Smithsonian Directives\nand the Security Manual, ensure all suitability determinations are properly supervised,\nand adjudicate each employee case we identified as having questionable suitability\ndeterminations.\n\n\n\n                                             14\n\x0cIn addition, the OPS Director will comply with all OPM guidance on federal employee\nrecords retention and enhance record-keeping for each individual employed by or\naffiliated with the Institution, including volunteers and contractors. An OPS analyst and\nOFEO senior manager will perform a 100 percent weekly review of all personnel security\ninformation, data entry, and documentation and submit a weekly report to the OPS\nDirector. Finally, OPS will submit OPM Certificates of Investigation to OHR and require\nOHR confirmation that the certificates have been placed in the employees\xe2\x80\x99 Official\nPersonnel Folders. For contractors, OPS will forward documentation of investigations to\nOCON for record-keeping.\n\nThe full text of management\xe2\x80\x99s comments is attached as Appendix B.\n\nOFFICE OF THE INSPECTOR GENERAL COMMENTS\n\nManagement\xe2\x80\x99s proposed actions are responsive to our recommendations, and we\nconsider the recommendations resolved. We note, however, that several\nrecommendations are not scheduled to be completed until August 2007 or beyond,\ndepending on the availability of resources. Given the sensitive nature of the weaknesses\nwe identified and their effect on the security and safety of the Institution\xe2\x80\x99s employees,\nvisitors, collections, and financial assets, we expect management will make these actions a\nhigh priority and either acquire or reallocate the resources necessary to ensure full\nimplementation of the corrective actions as soon as is practicable.\n\n\n\n\n                                            15\n\x0cAPPENDIX A. SCOPE AND METHODOLOGY\n\nWe reviewed OPM and Smithsonian Institution policies and procedures for conducting\nbackground investigations of employees and contractors. We reviewed the Appraisal\nReport of Personnel Security & Suitability Programs for the Smithsonian Institution\nissued by OPM in 1997 and evaluated whether its recommendations had been\nimplemented. We read the requirements of HSPD-12 and considered its impact on the\nInstitution\xe2\x80\x99s employee and contractor screening program.\n\nTo evaluate the adequacy of the Institution\xe2\x80\x99s background screening process, we reviewed\nbackground investigations conducted for employees from October 1, 2003 through April\n30, 2005. We analyzed new employee listings from the human resources offices of the\nInstitution, Smithsonian Astrophysical Observatory (SAO), Smithsonian Business\nVentures (SBV), and the Friends of the National Zoo (FONZ); contractor listings from\nthe Office of Protection Services (OPS) Identification Office; and the OPS database\n(NACIS) of background investigation records. We also evaluated the suitability\ndeterminations associated with serious issues identified from Office of Personnel\nManagement (OPM) background investigations. We interviewed various management\nand staff of OHR, OPS, other key units at the Institution, and OPM.\n\nWe compared listings of new employees hired by the Smithsonian, SAO, SBV, and FONZ\nfrom October 1, 2003 to April 30, 2005 to the OPS NACIS database. During that period,\nthese offices hired 1,903 new employees who should have received background\ninvestigations. We also compared listings of contractors who were issued identification\nbadges from July 1, 2005 to December 31, 2005 to the OPS NACIS database. As of\nDecember 31, 2005, identification badges had been issued to 535 contractors.\n\nWe compared listings of senior-level employees to the OPS NACIS database to determine\nwhether they had received the appropriate background investigations. We compared\nOHR listings of new hires and information reported by OPM to the OPS NACIS database\nto determine whether background investigative records were complete and accurate.\n\nTo determine whether background investigations with significant suitability issues were\nappropriately adjudicated, we examined a sample of 128 background investigative reports\nthat had been identified by OPM as having serious suitability issues. We judgmentally\nselected 26 of the more serious cases for closer examination. We researched the OPS\nNACIS database and interviewed OPS and Office of Human Resources staff to determine\nthe extent of the suitability determinations.\n\nWe conducted our audit between July 2005 and May 2006 in accordance with Government\nAuditing Standards, as prescribed by the Comptroller General of the United States, and\nincluded tests of management controls as we considered necessary.\n\n\n\n\n                                           16\n\x0cAPPENDIX B. MANAGEMENT COMMENTS\n\n\n\n\n                        17\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        18\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        19\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        20\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        21\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        22\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        23\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        24\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        25\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        26\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        27\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        28\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        29\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        30\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        31\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        32\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        33\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        34\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        35\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        36\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        37\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        38\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        39\n\x0cAPPENDIX B. MANAGEMENT COMMENTS (CONTINUED)\n\n\n\n\n                        40\n\x0c'